Today I was hit with a 0-day virus – ZBot/Backdoor.Paproxy or whatever antivirus companies call it.

It came as E-mail claiming to be from UPS (You guess now why UPS virus is in quotes) and was a zip file with executable inside. UPS_INVOICE_978172.zip to be exact, but there are several variants.

Usually the common is that they contain as subject line:”[RE] UPS Tracking Number” followed by random number.

Most of the e-mails were detected (as spam) by the antivirus scanner on mail gateway, but some reached end users.

To be honest this one was really good in attracting them (the users) to open it and some did….

This was no pleasant experience. Right away PC rebooted and trojan was installed.

Other problem was that there was only 2 companies who were able to detect it this morning (the number increased to 13 afternoon).

After updated virus definitions from Symantec were installed Backdoor was detected and removed.

Lesson learned: NEVER open executable from attachment.

Here you ca see if your antivirus is up to date with that particular virus.

Another  version…

UPDATE: There are new versions not recognized by Symantec yet. So follow above lesson.

Lenovo is shipping new ThinkPads preinstalled with huge amount of software you do not really need.

This slows the boot process to the levels new computer should not be.

Here is the list of software I removed from T61:

  • All MS Office related (trial) – Later I’ll install the products we have license for
  • SQL server (yes it is installed) related
  • Windows Live toolbar
  • Norton Internet Security – Will replace it with Norton Endpoint Protection

Other option is to reinstall the system from scratch.

Excellent tutorial on how to do it

Tip: Do not connect the system to internet until you are ready to. It starts right away to download and install windows updates and will slow down the machine.

Recently after installing Office 2007 using default installation options I saw unusual entry in my task manager processes.

GrooveMonitor.exe

It took almost 8M of my memory so I started search on what it is.

Quickly I discovered that  it is part of MS Office 2007 and is used to share files and work on projects with other Microsoft Office Groove users.

It sounds nice, but I do not use it at all so I start searshing the ways to remove it from the system.

After looking to standard kill process and erase the  startup entry process I tried add/remove program–>Office 2007 –> change and for my surprise I saw Groove entry.

So I unchecked it and that removed it. Strange, but it worked.

Credits

Microsoft release candidate for Windows XP service pack 3 is available for download.

I’ve decided to check the logs on my Compaq system and I discovered following error:

Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7026
Date:        16/12/2007
Time:        2:50:16 PM
User:        N/A
Computer:    COMPAQ
Description:
The following boot-start or system-start driver(s) failed to load:
ftsata2

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

It was little bit strange, because I have nvidia s-ata drivers installed, and this driver appear to be from promise. After searching on Internet I came to following solution posted on hp site:

Go to Start->Control Panel->System->Hardware->Device Manager->View->Show Hidden Devices->Non Plug and Play Drivers->ftsata2->Driver->Start up Type = Demand

Shortcut: just press Win key + Pause/Break -> and continue from Hardware

New(old) PcTools tool detected my wget.exe as keylogger. After submitting the issue to tech support they concluded(surprisingly fast for free product) that most probably it is false positive and after further study they will update their rules.

For now just add wget.exe to safe processes.

This update is strongly recommended.

It fixes following security flaws:

MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard

But this is not all….

When restarting Firefox to apply the update I was surprised with the message that I cannot install the update because I’m not an owner of the file or do not have administrative privileges…..

After several retries I realized that there is another user logged on my PC and it was using Firefox 🙁 after closing this extra copy update was installed and now I use latest version.

Interesting here is that you can create this image while working on your computer and avoid the use of Bootable cd and text based utilities.

The tool needed can be found here and good tutorial how to use it here.

Update of the update:

The 2.0.0.8 release fixed some 200 issues, but accidentally regressed a few things. Most users won’t see any difference or experience any problems, and those 200 fixes make the 2.0.0.8 update very valuable, but you should never have to choose functionality over security. So we’re working fast to understand and fix these problems, and will shortly be issuing a 2.0.0.9 update to address them. The specific problems are:

  • Bug 400406 – Firefox will ignore the “clear” CSS property when used beneath a box that is using the “float” property. There is a temporary workaround JS/CSS code available for web developers with affected layouts.
  • Bug 400467 – Windows Vista users will get “Java not found” or “Java not working” errors when trying to load Java applets after updating. To fix this, users can right-click the Firefox icon and “Run as administrator”, then browse to a page with a Java applet — doing this once will fix the problem and permanently restore Java functionality.
  • Bug 396695 – Add-ons are disabled after updating. Users can fix this problem by opening their profile folder and removing three files (extensions.rdf, extensions.ini and extensions.cache)
  • Bug 400421 – Removing a single area element from an image map will cause the entire map to disappear. There is no workaround available at this time.
  • Bug 400735 – Some Windows users may experience crashes at startup. There is no workaround available at this time.

Few hours after Adobe released patch for Acrobat reader exploit was released.

Currently you may receive e-mail with YOUR_BILL.pdf or INVOICE.pdf as attachment. When user opens file Trojan horse is installed to the system.

It is HIGHLY recommended to update to Acrobat reader 8.1.1.

How?

Launch acrobat and go to help –> check for updates.

← Previous PageNext Page →